Re: Security Additions Disappearing
From: Teresa Appelgate [MS] (tereap_at_online.microsoft.com)
Date: 04/09/04
- Next message: Davem: "Re: Some emails not reaching our server"
- Previous message: Lanwench [MVP - Exchange]: "Re: Creating new SMTP addresses"
- In reply to: DK: "Re: Security Additions Disappearing"
- Next in thread: DK: "Re: Security Additions Disappearing"
- Reply: DK: "Re: Security Additions Disappearing"
- Messages sorted by: [ date ] [ thread ]
Date: Fri, 9 Apr 2004 08:42:57 -0700
You mentioned that you're in mixed mode. Are the delegate accounts in AD?
Are they enabled or disabled, and if they are enabled, were they disabled
when you migrated them from 5.5?
There is a known case where permissions get reset. If you started out your
migration process by creating disabled user accounts in AD, then enabled
those accounts, make sure that the process that enabled the accounts also
cleared the msExchMasterAccountSid attribute. This attribute only has a
value on disabled accounts. If it has a value on an enabled account, you'll
see odd behaviors like resetting permissions.
-- Teresa Appelgate Exchange User Education ****** Disclaimers ****** This posting is provided "AS IS" with no warranties, and confers no rights. Please do not send email directly to this alias. This alias is for newsgroup purposes only. "DK" <anonymous@discussions.microsoft.com> wrote in message news:1a26601c41d96$08907000$a401280a@phx.gbl... > Update - it appears to be replication that is resetting > these items. Every 15 minutes or so, the permissions are > reset on that account, matching the replication cycle, or > approximately. Since I do not know how these servers > were originally installed and in what order, is there a > possibility that one of these NT4 DC's still thinks it is > a PDC or somehow resettting the 2000 DC's information? > I've looked at all the FSMO roles, and all are set to the > main Windows 2000 DC. We're trying to see if we can > modify rights on the NT4 boxes one at a time to see if we > can narrow it down to one of them. Still, any help or > ideas are appreciated. > > > > >-----Original Message----- > >Willie - > > > >No, this Support account is only a member of Domain > >Users, no other groups. I've verified that nothing GPO- > >wise is resetting it, from what I can tell. If I change > >it to give the rights I want, then > Secedit /refreshpolicy > >both policies, the rights remain. We're trying to > >monitor how long it takes for the rights to disapear to > >see if it corresponds with anything else, but have not > >had much luck with that so far. Can anything be > >resetting these rights? We have no 'rogue admins' out > >there... > > > > > >>-----Original Message----- > >>Is the Support account that you are giving the users > >Send As and Receive As > >>rights a member of the built-in Administrators or > Domain > >Administrators > >>groups? > >> > >>If so that would explain why the permissions are being > >reset. > >> > >>There is a template that holds a set of permissions > that > >are applied to > >>accounts that are members of the built-in > Administrators > >or Domain > >>Administrators groups. These permissions are applied > at > >regular intervals. > >>The regular application of permissions on the users in > >the Administrators > >>group is a security feature designed to maintain > >consistent permissions on > >>those user accounts. > >> > >>-- > >>Willie Ryder > >>Microsoft PSS > >> > >>wryder@online.microsoft.com > >> > >>Please do not send email directly to this alias. This > >alias is for > >>newsgroup purposes only. > >> > >>This posting is provided "AS IS" with no warranties, > and > >confers no rights. > >>"DK" <anonymous@discussions.microsoft.com> wrote in > >message > >>news:19bcb01c41ce7$e3919ad0$a401280a@phx.gbl... > >>> Apologize for the cross-post in the Exchange forum, > but > >>> this is a mixed, odd scenario. > >>> > >>> We have a Support user/mailbox that is managed by > three > >>> other users (UserA,UserB and UserC). We started off > >>> having trouble with Send On Behalf being displayed in > >the > >>> e-mail when these users sent mail as Support. We > don't > >>> want that, as it may be a different person responding > >>> each time...nor do we want the individual user's name > >>> attached into the e-mail. > >>> > >>> So, by other advice in the Exchange forums, we added > >the > >>> Send As and Recieve As rights, as well as full mailbox > >>> rights to the Support account in Active Directory > Users > >>> and Computers (via the Security tab and Exchange > >Advanced- > >>> Mailbox Rights tab). This seemed to work out, after > >some > >>> trial and error. These users ONLY have the rights > >listed > >>> above over the Support user/mailbox. But after some > >>> amount of time (we have not yet confirmed if it is > >hours > >>> or minutes yet), the rights that we set up in the > >>> Security tab of ADUC are gone. The three added users > >>> have been removed somehow from those rights. This is > a > >>> mixed mode Windows 2000 domain (2 2K DC's and 4 NT4 > >>> BDC's), and replication is slow, but doesn't appear to > >>> have any other problems. (That we can immediately see) > >>> > >>> Can any give any hints or areas to check that would > >cause > >>> something like this to happen? > >>> . > >>> > >>> > >> > >> > >>. > >> > >. > >
- Next message: Davem: "Re: Some emails not reaching our server"
- Previous message: Lanwench [MVP - Exchange]: "Re: Creating new SMTP addresses"
- In reply to: DK: "Re: Security Additions Disappearing"
- Next in thread: DK: "Re: Security Additions Disappearing"
- Reply: DK: "Re: Security Additions Disappearing"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
